<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>Chm - CraftedSignal Threat Feed</title><link>https://feed.craftedsignal.io/tags/chm/</link><description>Trending threats, MITRE ATT&amp;CK coverage, and detection metadata. Fed continuously.</description><generator>Hugo</generator><language>en</language><managingEditor>hello@craftedsignal.io</managingEditor><webMaster>hello@craftedsignal.io</webMaster><lastBuildDate>Wed, 03 Jan 2024 12:00:00 +0000</lastBuildDate><atom:link href="https://feed.craftedsignal.io/tags/chm/feed.xml" rel="self" type="application/rss+xml"/><item><title>HTML Help Executable Spawning Child Processes</title><link>https://feed.craftedsignal.io/briefs/2024-01-html-help-spawn/</link><pubDate>Wed, 03 Jan 2024 12:00:00 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2024-01-html-help-spawn/</guid><description>The execution of hh.exe (HTML Help) spawning a child process indicates the use of a Compiled HTML Help (CHM) file to execute potentially malicious Windows script code.</description><content:encoded><![CDATA[<p>Attackers may abuse the HTML Help executable (hh.exe) to execute malicious code on a target system. Compiled HTML Help (CHM) files can contain embedded scripts or links to external resources. When a CHM file is opened, hh.exe renders the content, potentially triggering the execution of malicious scripts. This technique is often used to bypass security controls and deliver malware. This behavior is significant as it may indicate an attempt to execute malicious scripts via CHM files, a known technique for bypassing security controls. If confirmed malicious, this could lead to unauthorized code execution, potentially compromising the system. The LOLBAS project documents this use of hh.exe, and it has been observed in use by various threat actors.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>An attacker crafts a malicious CHM file containing embedded scripts or links.</li>
<li>The CHM file is delivered to the victim via email or other means.</li>
<li>The victim opens the CHM file, which is processed by hh.exe.</li>
<li>Hh.exe renders the HTML content within the CHM file.</li>
<li>The embedded script (e.g., JavaScript, VBScript) or link is executed.</li>
<li>The script spawns a child process (e.g., cmd.exe, powershell.exe) using ShellExecute or similar methods.</li>
<li>The child process executes arbitrary commands, downloads malware, or performs other malicious actions.</li>
<li>The attacker gains control of the system or exfiltrates data.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>Successful exploitation of this technique can lead to arbitrary code execution, allowing the attacker to compromise the system. This can result in data theft, installation of malware, or further propagation within the network. The number of potential victims is broad, as CHM files can be distributed through various channels. The impact ranges from individual workstation compromise to widespread organizational breaches.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Monitor process creation events for hh.exe spawning child processes to detect potential malicious activity, as described in the overview.</li>
<li>Implement the Sigma rule <code>Detect HTML Help Spawning CMD</code> to identify instances of hh.exe spawning command interpreters.</li>
<li>Deploy the Sigma rule <code>Detect HTML Help Spawning PowerShell</code> to detect instances of hh.exe spawning PowerShell processes.</li>
<li>Enable Sysmon process creation logging to capture the necessary process execution data.</li>
<li>Block known malicious CHM files based on file hash (if available from threat intelligence feeds, although none are included here).</li>
</ul>
]]></content:encoded><category domain="severity">high</category><category domain="type">advisory</category><category>html-help</category><category>chm</category><category>lolbas</category><category>process-creation</category></item></channel></rss>